Use “sufficient” if you want one to authentication methods to succeed(OTP or normal password) or use “required” or “requisite” if both have to succeed. Dont use “sufficient” alone without any “required” after it, you will open a security hole in your system. More in man pam.conf.

Example configuration for remote login services like ssh, in /etc/pam.d/system-remote-login

#here our changes, we have to define here other checks, which are usually included via system-login
#auth include system-login
auth required pam_tally2.so onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth required pam_env.so
auth sufficient pam_oath.so usersfile=/etc/users.oath window=10 digits=6
#comment the next line if you want to have only OTP authentication and change the previous line to required or requisite
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so
#end of changes
account include system-login
password include system-login
session include system-login